OIDC : add capability to fetch other property than email

[thopico]

Summary

Hi ! Would it be possible to add a setting in OIDC configuration so that Mailcow fetches another property than email when identifying user email address? Actually, it would rather be a custom attribute.

Motivation

I would like to use Keycloak as idp and Mailcow as a particular service among others delivered to our users. They would eventually have a main email address (outside of our organization scope) to register and be able to retrieve their password. Also, they could have an optional attribute for those who want a mailbox with our organization.

From my point of view, it is more suitable to have the Mailcow email address stored in a custom attribute than the email property as the users would be locked out if they want to reset their password (the link would fall in the mailbox secured with the same lost password), and this email service is just one optional among several others. Appreciate any comment. Thank you very much.

Additional context

No response

[NotActuallyTerry]

This would be great to be able to configure, considering most systems will assume that the email attribute is always contactable.

If you want to get this up & running in Keycloak now, you can set up the Mailcow client to have a different attribute mapped to email:

Create a custom attribute in Keycloak:

• Go to "Realm settings" -> "User profile"
• Click on "Create attribute"
• Keep a note of what you name it If you want, you can add an "email" validator

To set up Moocow to be sent this attribute instead

• Select the Moocow client
• Go to "Client scopes" -> Moocow-dedicated (or the matching name) -> "Add mapper" -> "By configuration"
• Select "User Property"
• Select the attribute you set up earlier, and set "Token Claim Name" to email

Once applied, then it'll send that attribute instead!

[kb01guy]

I had the same Issue but figured it out thanks to @NotActuallyTerry after some time. For the mapper "User Property" did not work, but "User Attribute" did. I'd like to add some visuals to help people not as familiar with keycloak.

My custom Attribute on the User looks like that:

Then my Client at Clients (Left Menu / Bar) > mailcow (or moocow in List) > Client scopes (Tab) > mailcow-dedicated (or moocow-dedicated in List) add the Mapper by clicking "Add mapper" > "By configuration" and then choose "User attribute" (User property did not work for me!) The Mapper looks like this:

One last thing to add: Users which have no User Attribute "mailcow_email" added, still get logged in with their email Property which is bound to Keycloaks Password Reset mechanism.

[thopico]

Thank you for your answers but I did try those two solutions and none of them worked... I am using KC v23.0.6 and mailcow version ffbf1758e0a8e49d3b030b6edba67ac4d3eb8a61

With the "user attribute" way, I ended up with 2 email tokens in the userinfo, and so mailcow failed to create account. Do I miss something?

[thopico]

I finally managed to fetch appropriate custom attribute after tweaking settings again and again on both mailcow and keycloak. What at least worked for me was:

1. add token mapper which type is "token attribute" and switch on Add to ID token, Add to access token and Add to userinfo
2. set on Authorization in client capability config
3. configure a Generic OIDC identity provider in mailcow with openid scope

tadaam :tada:

but thank you, since you succeeded to get it working, I haven't stopped trying again and again ;)

[NotActuallyTerry]

Coming back to this issue on my end, this mapper will only work if the email claim isn't sent from Mailcow (as thopico has found out). Therefore, it would be helpful if we could specify what claims to send to Keycloak when logging in. @thopico could you please re-open this issue?